b'Audit Report\n\n\n\n\nOIG-12-031\nManagement Letter for the Audit of the Office of D.C. Pensions\xe2\x80\x99\nFiscal Years 2011 and 2010 Financial Statements\nDecember 16, 2011\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            December 16, 2011\n\n\n            MEMORANDUM FOR NANCY OSTROWSKI, DIRECTOR\n                           OFFICE OF D.C. PENSIONS\n\n            FROM:                 Michael Fitzgerald\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for the Audit of the\n                                  Office of D.C. Pensions\xe2\x80\x99 Fiscal Years 2011 and 2010\n                                  Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of D.C. Pensions\xe2\x80\x99 (ODCP) Fiscal Years 2011 and 2010 financial\n            statements. Under a contract monitored by the Office of Inspector General, KPMG\n            LLP, an independent certified public accounting firm, performed an audit of the\n            financial statements of ODCP as of September 30, 2011 and 2010, and for the\n            years then ended. The contract required that the audit be performed in accordance\n            with generally accepted government auditing standards; applicable provisions of\n            Office of Management and Budget Bulletin No. 07-04, Audit Requirements for\n            Federal Financial Statements, as amended; and the GAO/PCIE Financial Audit\n            Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses other matters involving internal control over\n            financial reporting and its operation that were identified during the audit but were\n            not required to be included in the auditors\xe2\x80\x99 reports.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Shiela Michel, Manager, Financial Audits,\n            at (202) 927-5407.\n\n            Attachment\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036-3389\n\n\n\n\nDecember 5, 2011\n\n\nInspector General, U.S. Department of the Treasury, and\nDirector, Office of D.C. Pensions\n\n\nWe have audited the consolidated financial statements of the U.S. Department of the Treasury\xe2\x80\x99s\nOffice of D.C. Pensions (the ODCP) for the year ended September 30, 2011, and have issued\nour report thereon dated December 5, 2011. In planning and performing our audit of the\nconsolidated financial statements of the ODCP, in accordance with auditing standards generally\naccepted in the United States of America, the standards applicable to financial audits contained\nin Government Auditing Standards, issued by the Comptroller General of the United States; and\nOffice of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal\nFinancial Statements, as amended, we considered the ODCP\xe2\x80\x99s internal control over financial\nreporting (internal control) as a basis for designing our auditing procedures for the purpose of\nexpressing our opinion on the consolidated financial statements but not for the purpose of\nexpressing an opinion on the effectiveness of the ODCP\xe2\x80\x99s internal control. Accordingly, we do\nnot express an opinion on the effectiveness of the ODCP\xe2\x80\x99s internal control.\nDuring our audit we noted certain matters involving internal control and other operational\nmatters that are presented for your consideration. These findings and recommendations, all of\nwhich have been discussed with the appropriate members of management, are intended to\nimprove internal control or result in other operating efficiencies and are summarized in\nAppendix A to this report.\nIn addition, we identified certain deficiencies in internal control over financial reporting that we\nconsider collectively to be a significant deficiency, and communicated them in writing as\nExhibit I to the Independent Auditors\xe2\x80\x99 Report on Internal Control Over Financial Reporting to\nmanagement and those charged with governance on December 5, 2011.\nOur audit procedures are designed primarily to enable us to form an opinion on the consolidated\nfinancial statements, and therefore may not bring to light all deficiencies in policies or\nprocedures that may exist. We aim, however, to use our knowledge of the ODCP\xe2\x80\x99s organization\ngained during our work to make comments and suggestions that we hope will be useful to you.\nThe ODCP\xe2\x80\x99s responses to our findings and recommendations are included in Exhibit I. We did\nnot audit the ODCP\xe2\x80\x99s responses and, accordingly, we express no opinion on them.\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThis communication is intended solely for the information and use of the ODCP\xe2\x80\x99s management,\nthe U.S. Department of the Treasury\xe2\x80\x99s Office of Inspector General, OMB, the U.S. Government\nAccountability Office, and the U.S. Congress, and is not intended to be and should not be used\nby anyone other than these specified parties.\nVery truly yours,\n\n\n\n\n                                              2\n\x0c                                                                           Appendix A\n\n\n\n\n                     FINDINGS AND RECOMMENDATIONS\n\n\nImprove compliance with Treasury Directive Publication 85-01\n\nDuring our review of the Office of DC Pensions\xe2\x80\x99 (ODCP) System to Administer\nRetirement (STAR) password parameters, we identified that the system was not in\ncompliance with the password history requirements set forth in Treasury Directive\nPublication (TD P) 85-01, Treasury Information Technology Security Program,\namendment #2.2.5 adopted August 6, 2010. TD P 85-01 requires the retention of a\npassword history of 10 previous passwords effective May 6, 2011. We noted the STAR\napplication is configured to retain a password history of 6 previous passwords, which is\nnot in compliance with TD P 85-01.\n\nODCP performs a Security Testing and Assessment (STA) annually, which is also when\nthe identification and implementation of new federal system requirements is conducted.\nThe annual STA testing activity was performed in June 2010 before TD P 85-01 was\nrevised in August 2010 to require the retention of 10 previous password histories. The\ncurrent timing of the STA does not allow for timely implementation and compliance with\nupdated Treasury or new federal system regulations and requirements.\n\nThe password history retention was subsequently corrected by ODCP in June 2011.\n\nRecommendations\n\nWe recommend ODCP: (1) Update the STAR Account Management Policy and\nProcedures Manual to be in accordance with the TD P 85-01; and (2) Implement a\nprocess to monitor compliance with updated Treasury Directive Publications and other\nFederal requirements on a more frequent basis.\n\nManagement\xe2\x80\x99s Response\n\n1. As of June 8, 2011, STAR has been updated to retain password history of 10 previous\n   passwords. In addition, the STAR Account Management Policy and Procedures\n   Manual and the STAR Rules of Behavior have been updated to be in accordance with\n   security control IA-5(1) as identified in TD P 85-01.\n\n2. As part of preparing for the annual security test and evaluation, ODCP will\n   periodically check the TreasNet Cyber Security Program webpage for updated\n   requirements.\n\n\n\n\n                                          A-1\n\x0c                                                                    Appendix A, continued\n\n\n\n\nImprove Annuitant Recordkeeping\n\nDuring our testing of 85 new annuitant and beneficiary payments processed by the\nDistrict of Columbia Retirement Board (DCRB) for the Police & Firefighters and\nTeachers retirement plans, DCRB was not able to locate and provide all annuitant files\non a timely basis.\n\nOne file was located about one month later and the other file was lost and required to be\nrecreated.\n\nMemorandum of Understanding (MOU) Concerning Interim Benefit Administration of\nRetirement Programs dated September 26, 2005, section 4.5 Recordkeeping, requires\nDCRB to \xe2\x80\x9ckeep timely and accurate records of all matters within the scope of its\nresponsibilities covered by this Memorandum and the First Amended MOU, and shall\nretain and preserve all records transferred to the Retirement Board by the District until\nsuch time that the final reconciliation is complete and disposal of the records are\notherwise consistent with applicable records disposition schedules. Such records include,\nrecords of benefit determinations and records and other information relied upon in\nmaking such determinations, the amount and timing of Federal Benefit Payments and\nDistrict Benefit Payments, the amount of each Refund, Lump Sum Payment or Prior\nService Deposit, the manner in which it was calculated, the name of the individual\nreceiving the Refund, Lump Sum Payment or making the Prior Service Deposit, the dates\nof service with respect to which such Refund, Lump Sum Payment or Prior Service\nDeposit is made and the employer for whom the service associated with a Prior Service\nDeposit was performed, and the date on which each Refund or Lump Sum Payment was\npaid.\xe2\x80\x9d\n\nOMB Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control, in the\nintroduction section notes the requirements of the Federal Managers\xe2\x80\x99 Financial Integrity\nAct (FMFIA) of 1982: \xe2\x80\x9cThe agency head must establish controls that reasonably ensure\nthat \xe2\x80\xa6iii. Revenues and expenditures applicable to agency operations are properly\nrecorded and accounted for to permit the preparation of accounts and reliable financial\nand statistical reports and to maintain accountability over the assets.\xe2\x80\x9d\n\nIn addition, U.S. Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal\nControl in the Federal Government (GAO/AIMD-00-21.3.1) (the Standards) states:\n\xe2\x80\x9cControl activities occur at all levels and functions of the entity. They include a wide\nrange of diverse activities such as approvals, authorizations, verifications, reconciliations,\nperformance reviews, maintenance of security, and the creation and maintenance of\nrelated records which provide evidence of execution of these activities as well as\nappropriate documentation. Control activities may be applied in a computerized\ninformation system environment or through manual processes.\xe2\x80\x9d\n\n\n\n\n                                            A-2\n\x0c                                                              Appendix A, continued\n\n\n\n\nRecommendations\n\nWe recommend that the ODCP: (1) Work with DCRB to ensure they are in compliance\nwith the Recordkeeping requirement as specified in MOU Concerning Interim Benefit\nAdministration of Retirement Programs dated September 26, 2005, section 4.5; and\n(2) Take appropriate steps to inform DCRB management of the importance of the\npreservation, maintenance, and monitoring of annuitant files at DCRB by requesting\nDCRB to implement a file tracking system to include the person with custody of\nannuitant files, secondary review, file scanning and quality review processes.\n\nManagement\xe2\x80\x99s Response\n\n1. ODCP will conduct training with applicable DCRB staff on recordkeeping\n   requirements.\n\n2. ODCP will propose to DCRB the idea of implementing a file tracking system to\n   include the person with custody of annuitant files, secondary review, file scanning\n   and quality review processes.\n\n\n\n\n                                         A-3\n\x0c'